HP Application Security Center News

AMP 8.00 Released

jmorgan127 — Fri, 17 Apr 2009 03:42:00 GMT

On Wednesday April 15^th we announced a major release of HP Applications Security Center's Assessment Management Platform. Version 8.00 of the flagship enterprise web application security product brings innovations and feature across the system to enable our customers to:

Establish a web application security Center of Excellence which crosses the organization and the application lifecycle

Leverage and scale the capabilities of you limited security resources and increase security testing coverage of your enterprises web assets by engaging resources outside your core application security team.
Address application security earlier in the applications lifecycle to reduce rework and risk
Free up your security specialists to focus on high value target sites and security activities
Protect sensitive security information and control the use of powerful web application scanning tools through AMP's central management
Integrate with IT systems to identify web assets the data that they expose and incorporate web application security into the greater Application Lifecycle and IT processes.

Build a unified picture of your corporate web application assets and security efforts across the enterprise to add business context, improve web application security efforts and make better business decisions.

Focus on the areas of high risk to the business and identify coverage holes
Communicate to business management in the context of business needs
Identify organizational level trends and opportunities
Track and manage application security process, compliance and vulnerabilities

Target Web 2.0 technology with best-in-class tools that

Automatically decompile and statically analyze client-side Rich Internet Applications
Automatically traverse client-side applications built entirely in JavaScript
Accurately authenticate to complex web applications

Over the next few weeks I will be dedicating blog entries to each of the above areas and how you can use AMP 8.00 to improve and mature your Web Application Security program. The team has done extensive work across the product to support these capabilities, and though we are going to delve deeper into the above areas and the features that support them across the next few weeks, I want to give you a taste of what is in this release. Here is a brief list of what's new and improved in AMP 8.00.

New in the AMP 8.00

Tagging / Custom Properties - Add asset, business, regulatory, project and process information through a flexible name / value pair tagging system to give context to the information and

Identify coverage holes and areas of high risk
Communicate to business management in the context of business needs
Identify organizational level trends, risks, and opportunities
Track and manage status and process

Customizable and Enterprise Reporting - AMP 8.00 features a new enterprise level reporting system capable of considering data from across the system and rolling that up into enterprise level reports. This highly flexible system gives the customer the ability to create a custom reporting set that is build for their specific organizational and business needs to:

Generate reports that rollup data to business level entities (ex. Business units, development team, functional area, etc.)
Track projects across lifecycle and version changes.
Visualize Trends across scans, sites, organizations, etc.

Scan Monitoring - View rich, near real time, status information on scans executing on the AMP Sensors. The ability to monitor the scans progress in near real time dramatically simplifies this scenario. Reducing the time and effort required to configure and execute WAS scans.
Pluggable "Send To" Integration Infrastructure - The "Send To" infrastructure allows the customer or ASC professional services to quickly build integrations between the AMP system and other key Application Lifecycle and IT systems.
Flash Static Analysis - AMP Sensors can now decompile Shockwave Flash (SWF) files and then perform static analysis on the resulting ActionScript 3 code, detecting vulnerabilities such as insecure programming practices, insecure application deployment, Adobe "best practices" violations, and information disclosures.
Optional Depth First Crawler - Depth-first crawling accommodates sites that enforce order-dependent navigation (where you must visit page A before you can visit page B).
Java Model View Control (MVC) Support- Based on in-depth research by the HP DevInspect for Java team, AMP Sensors now supports applications built on the Java MVC platform by the use of the Depth First Crawler, Path-based Attacks, and Navigational Parameters.
more...

Improved in AMP 8.00

Enhanced Vulnerability Management and Viewing - Quickly review, manage and annotate vulnerabilities from within the AMP user interface. Give the extended application security team (including development, QA and lesser skilled technicians) the ability to perform the scan review process without the need of an extensive desktop tool.
Scan Template Generation - Easily provide a scan template for others stakeholders within the application lifecycle so that they may execute the scans, freeing up the security specialists, to focus on high value target sites and security policies.
Revamped Web Macro Recorder - The Web Macro Recorder is now easier to use and incorporates a new algorithm for determining a logout condition.
Scalability Enhancements - The fundamental data access and display methodology of the AMP system has been improved to greatly enhance the scalability and responsiveness of the AMP system.
more...

The AMP 8.00 release is available now to all AMP customers with a current support contract. AMP customers should contact HP technical Support for access to new software online at http://support.openview.hp.com/ or call 1-800-633-3600. You will need your SAID and AMP License Token.

For more information on this release, check out our

Press release: http://www.hp.com/hpinfo/newsroom/press/2009/090415xa.html

and

Launch page: www.hp.com/go/stophackers

and

watch this blog for more to come....

Jeff Morgan

Product Manager, HP Assessment Management Platform
HP Application Security Center

Announcing WebInspect 8.0.548 Available Now!

joe.yeager — Wed, 01 Apr 2009 09:15:00 GMT

It is with great pleasure that I announce on behalf of HP Application Security Center, the next leap forward in web security products with the release of WebInspect 8.0. With a long list of features, we hope that you are as fired up about this release as we are. Below is just a taste of the many improvements you will enjoy.

What's New

Flash Static Analysis - WebInspect can now decompile Shockwave Flash (SWF) files and then perform static analysis on the resulting ActionScript 3 code, detecting vulnerabilities such as insecure programming practices, insecure application deployment, Adobe “best practices” violations, and information disclosures.
New Reporting System - WebInspect’s new and powerful reporting system facilitates the presentation of analyzed data. Now you can:
- Create reports that are flexible, scalable, and faster using an improved generation workflow.
- Modify standard reports or design your own using our new report designer.
- Include information from external data sources.
- Customize fonts, colors, and backgrounds with the new style editor.
- Generate scan reports with a professional, polished appearance.
- Focus analysis on a single session with our new session reports.
Optional Depth First Crawler - Depth-first crawling accommodates sites that enforce order-dependent navigation (where you must visit page A before you can visit page B). This method traces the first link on a page to the first link on the referenced page before returning to the original page and tracing the second link. By contrast, breadth-first crawling (which is also available) follows all the links on a page before drilling down to the pages that are being linked.
Java Model View Control (MVC) Support- Based on in-depth research by the HP DevInspect for Java team, WebInspect now supports applications built on the Java MVC platform by the use of the Depth First Crawler, Path-based Attacks, and Navigational Parameters.
Integration with IBM Rational ClearQuest - You can now send vulnerabilities as defects directly to IBM Rational ClearQuest version 7.
Support for 64-bit Vista - You can now run WebInspect on 64-bit Vista operating systems.

What's Improved

Significantly Improved Script Processing - WebInspect now handles applications that have heavy client-side JavaScript. As applications move to the client, they become a single page that delivers an application almost entirely written in JavaScript, making it very difficult for a scanner to follow links when crawling the application. Crawling is becoming more about following code paths through the JavaScript, analyzing how the application changes from the user’s perspective, watching AJAX requests and making attacks to the server accordingly. WebInspect 8.0 delivers breakthroughs in JavaScript technology by tracing and recording code paths as subsessions, which are then audited to reveal vulnerabilities.
Revamped Web Macro Recorder - The Web Macro Recorder is now easier to use and incorporates a new algorithm for determining a logout condition. Once you record the login sequence, the Web Macro Recorder automatically samples the Web site to discover specific keywords that are present when state has been acquired and when it has been lost. This allows the scanner to reacquire state if it inadvertently becomes "logged out." The Web Macro Recorder also now allows you to verify that your macros work as expected before you use them.
Smart Assessment Fingerprinting - WebInspect is now more accurate than ever when choosing which checks to use against websites. It runs a series of fingerprint requests to determine the server type, version, and platforms supported.
Improvements to Start Page - The layout, appearance, and general usability of the page have been improved. It displays new scan attribute columns in the Manage Scans workspace, which improves scan selection. You can also group scans by scan attributes. The Activity Panel is also collapsible to increase your Manage Scans workspace.
Improvements to Scan View - Excluded hosts and allowed hosts are distinctly grouped, and the Scan statistics panel has been moved to the right of the dashboard for a better look and feel. The Scan Dashboard has an improved layout featuring a prominent scan status, crawl and audit activity indicators with rolling performance counters, script (JavaScript and VBScript) execution indicator, and a listing of attack engines grouped by attack type.

WebInspect 8.0 is currently LIVE on SmartUpdate!

Simply open WebInspect and connect to SmartUpdate, our standard patch channel, and you will automatically receive WebInspect 8.0.

Pre-Requisite Notes:

Requires .NET Framework 3.5 Service Pack 1
Requires SQL Server 2005 or SQL Server 2005 Express (free)
Does not support SQL Server 2008 or SQL Server 2008 Express

Upgrade to .NET 3.5 Service Pack 1

joe.yeager — Tue, 24 Feb 2009 22:06:00 GMT

Attention all WebInspect, AMP, and QAInspect users,

The next version of WebInspect, QAInspect, and the AMP sensors* will require the .NET Framework 3.5 Service Pack 1. Microsoft has released this version via Windows/Microsoft Update as a high priority update which means that some of you may already have it installed. If not, make sure your systems are ready in advance by installing it from either of the following links.

Bootstrapper install: http://www.microsoft.com/downloads/details.aspx?familyid=ab99342f-5d1a-413d-8319-81da479ab0d7&displaylang=en
Full [Direct] download: http://download.microsoft.com/download/2/0/e/20e90413-712f-438c-988e-fdaa79a8ac3d/dotnetfx35.exe

Installing this version will not affect your current installations of WebInspect, AMP, or QAInspect and is highly recommended by our support team as it has many memory and performance improvements.

In anticipation of this question, we cannot provide details as to the timing of the next release of any of these products due to standard HP policies.

* - Only the servers will require the upgrade with their next release. The next release of the AMP Server will not require the upgrade initially, but we anticipate that a future versions may so we advise you to go ahead and upgrade these as well. In doing so, the server will benefit from the performance and stability improvements mentioned above.

Cheers,
Joe

HP QAInspect 5.1 now available

patrick.wolf — Tue, 14 Oct 2008 23:51:00 GMT

Introducing HP QAInspect 5.1

I am pleased to announce the release of HP QAInspect 5.1 for electronic download and SmartUpdate. QAInspect 5.1 will appear on the HP.com domain for customer and evaluation download within the next few weeks after the system has processed it. This release includes minor cosmetic changes but major changes under-the-covers to improve our integration with Quality Center (in preparation for QC 10) and the latest SecureBase engine. This product was distributed to and tested by several customers in an Early Access Program with great results.

What’s New in 5.1

Improved User PermissionsQAInspect no longer uses the Command Object to communicate with Quality Center. This dramatically reduces the minimum user permissions needed to run a QAInspect test.

To integrate QAInspect into a Quality Center project requires ”Customize Project Entities” as a minimum access requirement. This is a one-time setting that creates the custom fields necessary in the project. Once it is included in the project any user is able to use QAInspect.
Quality Center’s default QA Tester user level is now sufficient to configure and run a QAInspect test. This role is also able to fully publish defects found during a security scan.

Updated Scan Engine

QAInspect 5.1 has been updated to include the most recent scanning engine making it compatible with WebInspect 7.7. This includes new tests, performance improvements and greater infrastructure support.

 Enhancements to the Cross-Site Scripting (XSS) Engine

 Significant SQL Injection Engine Accuracy Improvements

```
 Enhancements to the JavaScript Parser
```

Automatic Proxy configuration (PAC) support:With the inclusion of the latest scanning engine QAInspect 5.1 also inherits full support for automatic proxy configuration (PAC) files. If your organization utilizes PAC files please test this version to assure that it works in your environment. Deactivate License:QAInspect licenses are assigned to specific computers. If you would like to transfer a license from one computer to another, you can now use the Deactivate license feature. Ready for Download Today:Install Files

https://download.spidynamics.com/products/qainspect/hp/qainspectqcsetup.exe

Documentation

Quick Start - https://download.spidynamics.com/products/qainspect/hp/qainspectqcquickstart.pdf

User Guide - https://download.spidynamics.com/products/qainspect/hp/qainspectqcuserguide.pdf

Release Notes - https://download.spidynamics.com/products/qainspect/hp/qainspectqcreleasenotes.txt

WebInspect 7.7.869 Now Available

joe.yeager — Thu, 12 Jun 2008 11:00:00 GMT

An update for WebInspect is now available via SmartUpdate. The update includes some great changes which have been detailed below. Enjoy!

Improvements to the Regular Expression Editor
Optimized some functions for improved performance (language syntax application, syntax evaluation triggering points, etc).
Disabled match tree updates on match fill. Refactored control that contains text to test and disabled painting while highlighting. Improved test for validity of request/response templates.

Enhancements to the Cross-Site Scripting (XSS) Engine
Improved detection of Cross-Site Scripting vulnerabilities and improved consistency in stored Cross-Site Scripting detection. Improved accuracy of Cross-Site Scripting against Domino HTTP headers, as well as when filters are used to remove "alert" from the query string, in Header Injection, and in chain drop-down sites.

Significant SQL Injection Engine Improvements
Improved "diffing" technology for blind SQL Injection. Implemented data extraction for proving confirmed SQL Injection. Improved vulnerability categorization, and created a new check that is flagged when SQL Injection is confirmed but data extraction is not possible because of some limitations such as database not supported, database version does not support data extraction, et cetera.

Enhancements to the JavaScript Parser
Fixed a recurring error when parsing script out-of-process and enhanced the detection of forms in JavaScript so that more forms are found.

Improved Results for Web Brute
Integrated DiffEngine changes into Web Brute for improved results.

Stability Enhancements
Significant work was put towards closing a large number of outstanding issues. See the release notes for more details.

Miscellaneous Improvements
Additional enhancements include better handling of Proxy PAC files, Firefox Proxy support, and improved Oracle application support. Additionally, the "Manage Existing Scans" dialog now remembers its window size and position.

For additional details and a full list of issues resolved, check out the release notes.

- Joe

DevInspect 5.0 is now available.

patrick.wolf — Tue, 01 Apr 2008 00:09:00 GMT

Introducing HP DevInspect 5.0

HP DevInspect extends the reach of HP’s Application Lifecycle Optimization portfolio into product development. Combining our award-winning dynamic application scanning technology with static code analysis, HP DevInspect is the only tool available that performs true Hybrid Analysis – both white-box and black-box testing. HP DevInspect is seamlessly integrated with the Integrated Development Environment (IDE) – Visual Studio for .NET or Eclipse or RAD for Java – minimizing the training required to learn a new tool and eliminating any disruption of the development timeline. The release of HP DevInspect 5.0 further enhances Hybrid Analysis and increases development efficiencies with the following features:

Visual Studio 2008 Support

HP DevInspect for .Net now supports Microsoft Visual Studio 2008 and Visual Studio 2005. Businesses can now test for vulnerabilities with Hybrid Analysis regardless of the Visual Studio IDE preferred by their developers even in mixed environments.

Struts 1.x MVC support

Struts is one of the most popular java frameworks used for web application development. HP DevInspect for Java 5.0 fully supports integrated security testing within Eclipse or IBM RAD for applications using the Struts framework. Corporations using industry standard design practices can now take full advantage of the Hybrid Analysis inherent in HP DevInspect.

Hybrid Analysis

HP DevInspect is the only product to combine static analysis of all byte-code (both Java and MSIL) with dynamic black-box vulnerability scanning in one. The static analysis and dynamic scan engines have both been upgraded in HP DevInspect 5.0 to increase the accuracy, performance, and repeatability of our Hybrid Analysis. The time and money spent finding and fixing security vulnerabilities can now be dramatically decreased by equipping developers with an IDE with built-in Hybrid Analysis.

Vista Support

HP DevInspect for Java and HP DevInspect for .Net are now fully supported on Microsoft Vista. IT organizations looking to upgrade their existing desktop environments can transition their developers without risking their ability to perform Hybrid Analysis on their applications.

Ready for Download today!

QAInspect 5.0 is now available.

patrick.wolf — Mon, 31 Mar 2008 16:02:00 GMT

Introducing HP QAInspect 5.0

HP QAInspect completes the third pillar of Application Lifecycle Optimization. Does it work? Does it perform? Is it secure? Built on the foundation of the award-winning application scanning technology in HP WebInspect, QAInspect enables quality professionals to fully manage the process of finding and fixing security defects early in the application lifecycle. This ability to manage security defect testing early in the application lifecycle mitigates risk in the application, saves money on revisions over the life of the application, and produces more holistic data for a Go/No Go decision. The upcoming release of HP QAInspect 5.0 extends the already robust integration with Quality Center with the following new features:

Defect Staging

New in QAInspect 5,0 is a staging area to vet vulnerabilities before they are added to the defect table within QC. Users can fully test and validate all vulnerabilities found by the scan to ensure that application developers are only spending development cycles fixing confirmed defects.

Defect Consolidation

Vulnerabilities found during a scan can now be viewed as a consolidated list, grouped by application page or defect type. For example, a user may view all vulnerabilities found on the login page of an application. Similarly, a user may view all Cross-Site Scripting vulnerabilities or all SQL Injection vulnerabilities grouped into a single pane. The ability to group vulnerabilities allows users to more quickly log specific defects and assign defect tasks to developers with greater accuracy.

Folder Restrictions

Restrict the crawl and audit of a scan to a particular folder. This allows much more granular control of the testing allowing for better targeted security testing. Once a particular application section has been audited and all security issues mitigated to an acceptible degree it can be moved to regression; focusing new security testing and fixes on new functional areas of the application.

Parameter Highlighting

As the size and complexity of web application pages grow the ability to quickly find a specific parameter within a vulnerable page becomes a greater burden. In order to eliminate the time wasted by developers searching a page for a particular vulnerability all defect reports now highlight the specific vulnerable parameter within the HTTP Request/Response pair. Developers can easily find the vulnerable part of the application and apply a fix with limited downtime.

Trial License Now Available (Click Here)

This release includes a trial license allowing Quality Center customers to download and evaluate QAInspect for 15 days; enabling them to make better purchase decisions. Talk to your sales representative for more details.

New HP Application Security Resource Library

erik.peterson — Fri, 11 Jan 2008 16:43:00 GMT

Hi everyone, we have just completed the new HP Application Security Resource Library. Your one stop shop for product datasheets, whitepapers and presentations. If you currently going to the downloads section on the Portal site for some of this information please update your links and use this new location instead.

If you haven't had the chance to read some of our whitepapers or presentations, take a moment to check it out, there are great articles on dealing with AJAX security issues, PCI Compliance as well as papers on SQL Injection and Cross Site Scripting (XSS). All together the new HP Application Security Resource Library might be one of the largest collections of application security focused documents available on the web.

We are also always looking for requests on what papers and articles you would like to see added, drop us a comment or two with your requests.

Thanks,

Erik

WebInspect 7.7 just around the corner

erik.peterson — Fri, 05 Oct 2007 08:58:00 GMT

WebInspect 7.7 coming soon, so what's new? Great question!

What better way to let our customers know that HP is 100% commited to improving and delivering new functionality in WebInspect than to bring everyone a new release. This is our second WebInspect product update since getting aquired and there is a lot of things in this release that I think is going to make everyone very happy.

What's New

Re-branding to HP
WebInspect has been re-branded to show that it is now a part of the HP Software family. I had the task to pick from all sorts of images to find the one for the splash screen, i'm not sure I found the right one so I plan on changing it in the next release. I'd like to give the WebInspect community the oppertunity to suggest what we put in there next release so drop me a comment with your ideas.
New Reports
A new False Positive report provides a list of the vulnerabilities that are currently marked as false positive. See “Improved False Positive Handling” below for more information.
Compliance Updates
Two new compliance templates will generate compliance reports based on OMB and OWASP Top 10 2007 requirements. The OMB template addresses major application security sections that were defined in December 2004 by the Office of Management and Budget (OMB) for Federal agency public websites. While the previous OWASP Top 10 list included a mix of vulnerabilities and attacks, the OWASP Top 10 2007 list focuses on vulnerabilities.
False Positive View
WebInspect now has a False Positive view that allows you to see the vulnerabilities and sessions that are currently marked as false positive. From the False Positive view, you can select a session or a vulnerability that you have determined is not a false positive and mark it as a vulnerability again. See “Improved False Positive Handling” below for more information.
Vulnerability Filtering
You can now filter vulnerabilities to prevent multiple parameters for the same session or multiple values sent for the same parameter from appearing multiple times in the site tree and reports. Vulnerability filtering consolidates the related vulnerabilities into a single vulnerability. The Vulnerability Filter is disabled by default, but can be configured on the Settings window under Audit Settings.
Enhanced Web Services Scans
WebInspect now supports the use of log-in scripts and a means of specifying parameter values for web services scans.

What’s Improved

Improved IPv6 Scanning
WebInspect now has improved recognition of IPv6 literal URLs and improved scanning of IPv6 sites. You can type an IPv6 literal URL into the scan wizard and WebInspect will validate the entry, parse the URL, and recognize IPv6 literal addresses in links on web pages. Additionally, Web Discovery handles IPv6 endpoints and range enumeration.
Improved SOAP Assessment
WebInspect can now assess web sites that use SOAP Version 1.2 to transmit SOAP messages. SOAP Editor modifications have been made to collect SOAP message values for WSDL scans. Additionally, several known issues involving the SOAP Editor and SOAP assessments have been resolved to generally improve overall SOAP assessments.
Improved Status Communication to AMP
The WebInspect sensor now sends regular status updates to AMP. The updates are displayed as "Scanning X of Y; Duration:00:00:00:0000; Errors:0" in the Devices à Sensors view on the AMP Console.
Improved False Positive Handling
In the Vulnerabilities tab, you can select a session or a vulnerability that you believe to be false positive and send an immediate notification to HP support. If a vulnerability is selected, a list of all URLs that are vulnerable appear in the Mark as False Positive window. You can select all URLs or individual URLs to mark as false positive. You can also type a comment to send to HP support along with your false positive notification. I want to stress how cool this feature is because we have built a portal here at SPI/HP that we log into and can review this stuff. The reports you are sending us are being read by our SPI labs team to help guide the improvements and check changes they make on a daily basis.
Improved Support Channel Communication
After submitting a false positive notification to HP support, you will receive a pop-up message from SPI Monitor that includes a tracking number for the notification being sent.

That's it! We hope you enjoy it when it's released, look for it on SmartUpdate on the usual download locations sometime next week.

WebInspect Update planned this week

erik.peterson — Sun, 12 Aug 2007 19:55:00 GMT

Quick update, there will be a minor update for all WebInspect users this week. Mainly lots of little fixes (like the broken SQL Injector start menu link, oops!) but one new feature: Deactivate License.

Ever since we introduced our new licensing system we have made it way too hard to move your copy of WebInspect from one machine to another requiring you to call our support guys if you wanted to move the license. The new deactivate license feature (found under application settings->license) allows you to deactivate your install (returning WebInspect to a unlicensed state) which then frees up your license to be used again wherever you want. Just use the same activation token you received from us when you bought WebInspect to reactivate your new installation.

For those of you who move your copy of WebInspect around a lot, this should be really handy. Just remember to deactivate before you re-image that machine and you can re-use the activation token again later.

If you have any questions, please post them here and I'll be quick to answer, thanks!

QAInspect 4.0.1 for HP Quality Center is now available!

erik.peterson — Mon, 06 Aug 2007 10:27:00 GMT

Hot on the heels of WebInspect 7.5 is HP QAInspect 4.0.1 for HP Quality Center (say that 5 times fast!)

New features include:

Quality Center 9.2 support
Crawl-Only feature
Windows Authentication for AMP
Ability to update license through a proxy

Contact your support represenatitive or our sales team today for more information. If you are an existing customer run SmartUpdate now to get the latest updates.

WebInspect 7.5 now available!

erik.peterson — Thu, 26 Jul 2007 09:55:00 GMT

Download now from https://download.spidynamics.com/products/WebInspect/ or use SmartUpdate.

What's New

Pre-scan Profiler – WebInspect's new pre-scan Profiler analyzes the application and offers suggestions for changes to the scan settings to optimize your assessment. The Profiler can evaluate and recommend settings for authentication, proxies, files not found, allowed hosts, and much more.
The Profiler can be launched as a separate tool or configured in the Scan Wizard to automatically launch prior to the start of a scan.
Interactive Logout Notification – During an interactive mode scan, WebInspect notifies you when a logout has occurred, and displays a browser view of the page where the logout occurred, allowing you to login again.
Traffic Monitor – The Traffic Monitor allows you to view HTTP traffic in real time during a scan. The Traffic Monitor displays every request sent and response received by WebInspect in real time during the crawl and audit.
Enterprise Assessment – Enterprise Assessment provides you with a comprehensive overview of your Web presence from an enterprise network perspective. URLs and IP addresses can be entered individually, or WebInspect can discover all available servers within a range of IP addresses and ports that you specify.
Right-click SQL Injector – You can now launch the SQL Injector tool by right-clicking on a vulnerable session and selecting SQL Injector from the Tools menu.
Regex in Allowed Hosts – You can now use Regex in the Allowed Hosts list, so that if a host matches a Regex pattern entered, it will be allowed for crawl and audit.
Launch Interactive Mode from Web Macro Recorder – You can now configure the Web Macro Recorder to launch Interactive Mode as part of a Macro.
Restore Factory Defaults to Application Settings – You can now restore Application Settings to their factory default settings.
Launch SPI Proxy from WebInspect Scan Wizard – You can now launch SPI Proxy from the Configure Network Proxy window in the Web Site Assessment wizard.
Windows Vista Support - WebInspect 7.5 is now fully supported under windows Vista (Please note, support for 64 bit systems is still forthcoming)

What's Improved

AJAX Auditing – AJAX Web applications can create several opportunities for possible attack if the application is not designed with security in mind. Since AJAX Web applications exist on both the client and the server, they include the following security issues:
- Create a larger attack surface with many more inputs to secure
- Expose internal functions of the Web application server
- Allow a client-side script to access third-party resources with no built-in security mechanisms
Improved AJAX auditing detects common AJAX frameworks that involve the following:
- Function calls made in a client-side scripting language, such as JavaScript
- Use of the XMLHttpRequest objects to make data requests without having to reload the page
- Use of JavaScript Object Notation (JSON) format to transfer data between the server and client
Export Ability in Log Viewer – You can now export Audit, Crawl, Scanner, and StateRequestor logs from the Log Viewer tool.
Manage Scans Enhancement – You can now select and delete multiple scans in the Manage Scans window.
Export Scan Details Enhancement – The Export Scan Details window has been redesigned for improved usability.

WebInspect 7.1 Now Available

erik.peterson — Tue, 22 May 2007 15:21:00 GMT

Now Available

The Next Generation of Web Application Scanning

WebInspect 7.1 features Server Analyzer, a new advanced tool for pen-testers:

Server Analyzer is a web server identification and discovery tool designed to quickly identify and understand the nature of a web server or web-enabled device.

Identifies popular web server software, web application software, embedded/web-enabled devices, and supporting network architecture components such as proxies and load balancers.
Uses a special characteristic-based identification technology that is capable of deducing the server software type despite attempts to hide the server software's true identity.
Improves server identification accuracy reduces false-positive identifications due to configuration obfuscation.
Performs deep SSL SSL analysis on HTTPS sites, showing various information related to the server's SSL configuration.

The following additional WebInspect 7.1 enhancements were designed to further simplify and speed up the installation and assessment processes.

New simple scan enabling users to conduct a comprehensive scan by entering only the URL, user name and password.
Faster scans through redundant page detection.
Simplified installation process by removing the dependency on SQL Server Express.
Enhanced Quality Center integration. Send defects directly to QC from WebInspect's site tree or vulnerability pane.

Already a Customer?

If you are already a WebInspect 7.0 customer and need to upgrade, please run WebInspect and click on the SmartUpdate icon at the bottom of your screen.

If you would like to download the installer, please click here.

Join the SPI Community
Blogs, Forums, Downloads and more

DevInspect for Java SP1 (version 3.0.1.0) now available

erik.peterson — Tue, 03 Apr 2007 14:50:00 GMT

We released last Friday (3/30/07) a service pack to DevInspect for Java to fix some critical installation issues that were causing customers a lot of pains in their installation process when trying to evaluate the Java product. They were minor issues, but were popping up a lot, so we decided we needed to get them fixed as soon as possible to smooth the evaluation process. We also included a new and improved QuickStart guide with more detailed instructions on getting started. The getting started information is also available as an Eclipse “cheat sheet” within the software, so users will see a guided tutorial that helps them get licenses and scanning after installation.

This version of the DevInspect for Java product is 3.0.1.0, but is functionally identical to the 3.0.0 version. The DevInspect 3.0.1.0 for Java version contains the following:

Fixed an issue with the DevInspect 3.0.0 installation package that in some instances failed to recognize that the required Windows Installer version was present on the installation target.
Fixed an issue with the DevInspect 3.0.0 installation package that failed to recognize that the .NET Framework 2.0 was present when .NET Framework 3.0 had been installed.
Enhancements to the QuickStart and User Guide documentation to help users get started with configuring and using DevInspect.
Introduction of an Eclipse “cheat sheet” that walks the user through the steps to get started with DevInspect. The cheat sheet will appear upon initial startup of the standalone version of DevInspect. In other versions, or after closing the cheat sheet, you can open it by opening Window…Show View…Other and selecting the Cheat Sheets view.

Since these items are in response to installation and ease-of-use issues, if a customer is up and running, they do not need to pick up this service pack. For those that need the service pack to address installer issues, it is distributed in two ways:

A new installation program is available at: https://download.spidynamics.com/products/DevInspect/Java/DevInspectJavaSetup.exe

Existing users can update to this version through the Eclipse Update Manager. To check for DevInspect feature updates, or if you have received notification from SPI Dynamics that a new release is available, follow these steps. Go to Help…Software Updates…Manage Configuration. In the Product Configuration dialog, locate and select DevInspect for Java. In the right-hand pane, select Scan for Updates. If updates are found, follow the on-screen instructions to upgrade to the latest version of DevInspect.

Finally, for those that just need the new and improved QuickStart information, you can get that document here: https://download.spidynamics.com/products/DevInspect/Java/DevInspectJavaQuickStart.pdf

WebInspect Update now Available

erik.peterson — Sat, 17 Mar 2007 13:31:00 GMT

Hot on the heels of our 7.0 release on Feb 14th, i'm happy to announce that our next WebInspect update release, version 7.0.286.3, is now available via SmartUpdate and download. This update delivers close to 250 issues and minor enhancements to the new WebInspect 7 platform. If you haven't already downloaded it, please check it out now by hitting SmartUpdate.

We have also already started on the next update release as part of our new rapid release strategy, expect to see a steady stream of continuous updates throughout the year all made possible by our new Phoenix architecture. If you are looking for a new feature or have a particular annoyance you would love to see us address let us know by heading over to our WebInspect product forums and letting us know. For those of you who are customers and haven't already done so, make sure you have activated your portal account for full customer access and to gain access to the product support forums as well by sending an e-mail to portal@spidynamics.com.